Container Management Utility Run Inside A Container

 1[metadata]
 2creation_date = "2023/04/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when a container management binary is run from inside a container. These binaries are critical
11components of many containerized environments, and their presence and execution in unauthorized containers could
12indicate compromise or a misconfiguration.
13"""
14false_positives = [
15    """
16    There is a potential for false positives if the container is used for legitimate administrative tasks that require
17    the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is
18    important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity
19    or part of legitimate container activity.
20    """,
21]
22from = "now-6m"
23index = ["logs-cloud_defend*"]
24interval = "5m"
25language = "eql"
26license = "Elastic Licence v2"
27name = "Container Management Utility Run Inside A Container"
28risk_score = 21
29rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
30severity = "low"
31tags = [
32    "Data Source: Elastic Defend for Containers",
33    "Domain: Container",
34    "OS: Linux",
35    "Use Case: Threat Detection",
36    "Tactic: Execution",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where container.id: "*" and event.type== "start" 
43  and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1609"
51name = "Container Administration Command"
52reference = "https://attack.mitre.org/techniques/T1609/"
53
54
55[rule.threat.tactic]
56id = "TA0002"
57name = "Execution"
58reference = "https://attack.mitre.org/tactics/TA0002/"